[Bug binutils/17531] readelf crashes on fuzzed samples

2022-08-02 Thread amodra at gmail dot com 
https://sourceware.org/bugzilla/show_bug.cgi?id=17531

Alan Modra  changed:

   What|Removed |Added

 Status|ASSIGNED|RESOLVED
 Resolution|--- |FIXED

--- Comment #100 from Alan Modra  ---
fixed a while ago

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug binutils/17531] readelf crashes on fuzzed samples

2017-09-27 Thread cvs-commit at gcc dot gnu.org 
https://sourceware.org/bugzilla/show_bug.cgi?id=17531

--- Comment #99 from cvs-commit at gcc dot gnu.org  ---
The master branch has been updated by Alan Modra :

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=6bd6a03d6975a96802b37741a99644570e52a72b

commit 6bd6a03d6975a96802b37741a99644570e52a72b
Author: Alan Modra 
Date:   Wed Sep 27 15:14:00 2017 +0930

PR22216, infinite loop in readelf process_symbol_table

This should make readelf bombproof given a fuzzed DT_HASH.  Also
removes a bogus check that would have resulted in wrong histograms.

PR 22216
* readelf.c (process_symbol_table): Check that DT_HASH symbol
chains are only visited once, and report an error if not.  Display
invalid symbol index if chain is out of range.  Use the same logic
when calculating histograms rather than the PR 17531 fix.  Delete
bogus check that chained index is less than number of buckets.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
___
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils

[Bug binutils/17531] readelf crashes on fuzzed samples

2017-02-24 Thread cvs-commit at gcc dot gnu.org 
https://sourceware.org/bugzilla/show_bug.cgi?id=17531

--- Comment #98 from cvs-commit at gcc dot gnu.org  ---
The master branch has been updated by Maciej W. Rozycki :

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=c9f02c3e29498fd9ecb1a9719c317c305fe509ae

commit c9f02c3e29498fd9ecb1a9719c317c305fe509ae
Author: Maciej W. Rozycki 
Date:   Thu Feb 23 18:16:11 2017 +

readelf: Fix incorrect "Version definition past end of section" message

Fix a commit 74e1a04b9787 ("More fixes for reading corrupt ELF files.")
`readelf --version-info' regression that caused "Version definition past
end of section" to be always printed at the end, even with good section
data.

For example with the `mips-linux' target we get:

$ cat ver_def.s
.data
.globl  new_foo
.type   new_foo, %object
new_foo:
.symver new_foo, foo@@ver_foo
$ cat ver_def.ver
{ global: *foo*; local: *; };
$ as -o ver_def.o ver_def.s
$ ld -e 0 --export-dynamic --version-script=ver_def.ver -o ver_def
ver_def.o
$ readelf -V ver_def

Version symbols section '.gnu.version' contains 4 entries:
 Addr: 007e  Offset: 0x01007e  Link: 2 (.dynsym)
  000:   0 (*local*)   2 (ver_foo)   1 (*global*)  2 (ver_foo)

Version definition section '.gnu.version_d' contains 2 entries:
  Addr: 0x0088  Offset: 0x010088  Link: 3 (.dynstr)
  00: Rev: 1  Flags: BASE   Index: 1  Cnt: 1  Name: ver_def
  0x001c: Rev: 1  Flags: none  Index: 2  Cnt: 1  Name: ver_foo
  Version definition past end of section
$

The cause is the `if (idx + ent.vd_next <= idx)' condition introduced to
ensure forward progress, which however always triggers for good version
definition section data as the last entry will have its `vd_next' value
set to 0.

Adjust the condition then, to say `if (idx + ent.vd_next < idx)' instead
and to ensure forward progress limit the number of entries processed to
the size of the version definition section, removing the problematic
message from output quoted above, while ensuring the original PR 17531
test case is still handled gracefully.

Add a suitable test case so that we have `readelf --version-info'
coverage; due to the lack of infrastructure needed to run the linker in
the `binutils' test suite and limited justification to implement it add
a new `readelf.exp' script to the `ld' test suite instead, intended to
gather any `readelf' test cases that require the linker to be run.  If
ever we decide to have linker infrastructure added to the `binutils'
test suite, then the script can be moved between the test suites.

binutils/
* readelf.c (process_version_sections) : Limit
the number of entries processed by the section size.  Don't
break out of the loop if `ent.vd_next' is 0.

ld/
* testsuite/ld-elf/ver_def.d: New test.
* testsuite/ld-elf/ver_def.ld: New test linker script.
* testsuite/ld-elf/ver_def.ver: New test version script.
* testsuite/ld-elf/ver_def.s: New test source.
* testsuite/ld-elf/readelf.exp: New test script.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
___
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils

[Bug binutils/17531] readelf crashes on fuzzed samples

2016-01-25 Thread nickc at redhat dot com 
https://sourceware.org/bugzilla/show_bug.cgi?id=17531

Nick Clifton  changed:

   What|Removed |Added

 CC||vpbalint at silentsignal dot hu

--- Comment #97 from Nick Clifton  ---
*** Bug 19518 has been marked as a duplicate of this bug. ***

-- 
You are receiving this mail because:
You are on the CC list for the bug.
___
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils

[Bug binutils/17531] readelf crashes on fuzzed samples

2015-03-24 Thread cvs-commit at gcc dot gnu.org 
https://sourceware.org/bugzilla/show_bug.cgi?id=17531

--- Comment #96 from cvs-commit at gcc dot gnu.org cvs-commit at gcc dot 
gnu.org ---
The binutils-2_25-branch branch has been updated by Nick Clifton
ni...@sourceware.org:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=304a2b6fe67786b45889a784bf71aabf2a9d26fd

commit 304a2b6fe67786b45889a784bf71aabf2a9d26fd
Author: Nick Clifton ni...@redhat.com
Date:   Tue Mar 24 11:31:37 2015 +

Import fixes for invalid memory access issues in the binutils DWARF parser
from the trunk sources.

PR binutils/17512
* dwarf.c (display_debug_loc): Pacify the undefined behaviour
sanitizer by simplifying address difference calculation.
(struct Frame_Chunk): Change type of cfa_offset to dwarf_vma in
order to avoid arithmetic overflows.
(frame_display_row): Cast cfa_offset before printing it.
(display_debug_frames): Likewise.
Check for an unexpected segment size.
Chnage type of 'l' local to dwarf_vma and cast it back to an int
when printing.
(process_cu_tu_index): Tighten check for an invalid ncols value.
* readelf.c (process_corefile_note_segment): Check for
inote.descdata extending beyond the end of the section.
(process_v850_notes): Likewise.

2015-02-13  Nick Clifton  ni...@redhat.com

PR binutils/17512
* dwarf.c (read_leb128): Fix test for shift becoming too large.

PR binutils/17531
* dwarf.c (display_debug_aranges): Add check for an excessive
ar_length value.
(process_cu_tu_index): Check for a row * columns sum being too
large.

2015-02-13  Alan Modra  amo...@gmail.com

* dwarf.c: Formatting, whitespace.
(process_debug_info): Style fix.

2015-02-11  Nick Clifton  ni...@redhat.com

PR binutils/17531
* dwarf.c (display_debug_pubnames_worker): Work around compiler
bug checking address ranges.
(display_debug_frames): Likewise.
(display_gdb_index): Likewise.
(process_cu_tu_index): Add range check on the ncols value.

2015-02-10  Nick Clifton  ni...@redhat.com

PR binutils/17512
* dwarf.c (eh_addr_size): Use an unsigned type.
(size_of_encoded_value): Return an unsigned type.
(read_leb128): Break if the shift becomes too big.
(process_extended_line_op): Do not read the address if the length
is too long.
(read_cie): Warn and fail if the pointer size or segment size are
too big.
* dwarf.h (DWARF2_External_LineInfo): Delete unused and incorrect
structure definition.
(DWARF2_External_PubNames): Likewise.
(DWARF2_External_CompUnit): Likewise.
(DWARF2_External_ARange): Likewise.
(DWARF2_Internal_LineInfo): Use dwarf_vma type for
li_prologue_length.
(eh_addr_size): Update prototype.

PR binutils/17531
* dwarf.c (process_debug_info): Zero the debug information array
since correct initialisation cannot be relied upon.
(process_cu_tu_index): Improve range checks.

PR binutils/17531
* dwarf.c (display_debug_pubnames_worker): Use dwarf_vma type for
offset.

2015-02-06  Nick Clifton  ni...@redhat.com

PR binutils/17512
* dwarf.c (display_debug_frames): Fix range checks to work on
32-bit binaries complied on a 64-bit host.

PR binutils/17531
* dwarf.c (xcmalloc): Fail if the arguments are too big.
(xcrealloc): Likewise.
(xcalloc2): Likewise.
* readelf.c (process_mips_specific): Fail if an option has an
invalid size.

2015-02-05  Alan Modra  amo...@gmail.com

PR binutils/17926
* dwarf.c (dwarf_select_sections_by_letters): Don't refer to optarg.

2015-02-04  Nick Clifton  ni...@redhat.com

PR binutils/17531
* dwarf.c (read_and_display_attr_value): Test for a block length
being so long that it wraps around to before the start of the block.
(process_debug_info): Test for section_begin wrapping around to
before the start of the section.
(display_gdb_index): Test for num_cus being so large that the end
address wraps around to before the start of the section.
(process_cu_tu_index): Test for j being so large that the section
index pool wraps around to before the start of the section.

2015-02-03  Nick Clifton  ni...@redhat.com

PR binutils/17531
* dwarf.c (process_debug_info): Add range check.
(display_debug_pubnames_worker): Likewise.
(display_gdb_index): Fix range check.
(process_cu_tu_index): Add range check.
* readelf.c (get_data): Change parameter types from size_t to
bfd_size_type.  Add checks for loss of accuracy when casting from
bfd_size_type to size_t.

[Bug binutils/17531] readelf crashes on fuzzed samples

2015-03-24 Thread cvs-commit at gcc dot gnu.org 
https://sourceware.org/bugzilla/show_bug.cgi?id=17531

--- Comment #95 from cvs-commit at gcc dot gnu.org cvs-commit at gcc dot 
gnu.org ---
The binutils-2_25-branch branch has been updated by Nick Clifton
ni...@sourceware.org:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=1dead8aee09e9ba148f6f44040122f62b5e4acea

commit 1dead8aee09e9ba148f6f44040122f62b5e4acea
Author: Nick Clifton ni...@redhat.com
Date:   Tue Mar 24 10:30:34 2015 +

Import security fixes for readelf from the master branch:

2015-02-26  Nick Clifton  ni...@redhat.com

PR binutils/17512
* readelf.c (process_corefile_note_segment): Check for
inote.descdata extending beyond the end of the section.
(process_v850_notes): Likewise.

2015-02-24  Mike Frysinger  vap...@gentoo.org

PR binutils/17531
* readelf.c (process_symbol_table): Declare chained.  Increment it
in every loop.  Abort when chained is larger than nchains.  Move
error check outside of chain loop.

2015-02-10  Nick Clifton  ni...@redhat.com

PR binutils/17531
* readelf.c (dump_relocations): Handle printing offsets which are
MIN_INT.
(process_corefile_note_segment): Add range check of the namesz
field.

2015-02-06  Nick Clifton  ni...@redhat.com

* readelf.c (process_mips_specific): Fail if an option has an
invalid size.

2015-02-03  Nick Clifton  ni...@redhat.com

PR binutils/17531
* readelf.c (get_data): Change parameter types from size_t to
bfd_size_type.  Add checks for loss of accuracy when casting from
bfd_size_type to size_t.
(get_dynamic_data): Likewise.
(process_section_groups): Limit number of error messages.

2015-01-05  Nick Clifton  ni...@redhat.com

* readelf.c (slurp_ia64_unwind_table): Warn if the reloc could not
be indentified.
(dynamic_section_mips_val): Warn if the timestamp is invalid.
(print_mips_got_entry): Add a data_end parameter.  Warn if a read
would go beyond the end of the data, and return an error value.
(process_mips_specific): Do not read options from beyond the end
of the section.
Correct code to display optional data at the end of an option.
Warn if there are too many GOT symbols.
Update calls to print_mips_got_entry, and handle error returns.

2014-12-08  Nick Clifton  ni...@redhat.com

PR binutils/17531
* readelf.c (dump_ia64_unwind): Add range checks.
(slurp_ia64_unwind_table): Change to a boolean function.  Add
range checks.
(process_version_sections): Add range checks.
(get_symbol_version_string): Add check for missing section
headers.

2014-12-03  Nick Clifton  ni...@redhat.com

PR binutils/17531
* readelf.c (get_machine_flags): Replace call to abort with a
warning message and a return value.
(get_elf_section_flags): Likewise.
(get_symbol_visibility): Likewise.
(get_ia64_symbol_other): Likewise.
(get_ia64_symbol_other): Likewise.
(is_32bit_abs_reloc): Likewise.
(apply_relocations): Likewise.
(display_arm_attribute): Likewise.

2014-12-01  Nick Clifton  ni...@redhat.com

PR binutils/17512
* dwarf.h (struct dwarf_section): Add user_data field.
* dwarf.c (frame_need_space): Check for an over large register
number.
(display_debug_frames): Check the return value from
frame_need_space.  Check for a CFA expression that is so long the
start address wraps around.
(debug_displays): Initialise the user_data field.
* objdump.c (load_specific_debug_section): Save the BFD section
pointer in the user_data field of the dwarf_section structure.
(free_debug_section): Update BFD section data when freeing section
contents.
* readelf.c (load_specific_debug_section): Initialise the
user_data field.

2014-12-01  Nick Clifton  ni...@redhat.com

PR binutils/17531
* readelf.c (process_archive): Add range checks.

2014-11-28  Alan Modra  amo...@gmail.com

* readelf.c (get_32bit_elf_symbols): Cast bfd_size_type values to
unsigned long for %lx.
(get_64bit_elf_symbols, process_section_groups): Likewise.

2014-11-27  Espen Grindhaug es...@grindhaug.org
Nick Clifton  ni...@redhat.com

PR binutils/17531
* readelf.c (get_data): Move excessive length check to earlier on
in the function and allow for wraparound in the arithmetic.
(get_32bit_elf_symbols): Terminate early if the section size is
zero.  Check for an invalid sh_entsize.  Check for an index
section with an invalid size.
(get_64bit_elf_symbols): Likewise.
(process_section_groups): Check for an invalid

[Bug binutils/17531] readelf crashes on fuzzed samples

2015-02-27 Thread nickc at redhat dot com 
https://sourceware.org/bugzilla/show_bug.cgi?id=17531

--- Comment #94 from Nick Clifton nickc at redhat dot com ---
Hi Alexander,

(In reply to Alexander Cherepanov from comment #93)
 Created attachment 8127 [details]
 Problems with `readelf -agteAruhlsSdIncVWw --dyn-syms -D` (32-bit)
 
 valgrind
 
 Files: 1
 Errors:
   5 Invalid read of size ...

I cannot reproduce these failures. :-{  Maybe they have already been fixed by
one of the patches for PR 17512 ?

Cheers
  Nick

-- 
You are receiving this mail because:
You are on the CC list for the bug.

___
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils

[Bug binutils/17531] readelf crashes on fuzzed samples

2015-02-13 Thread nickc at redhat dot com 
https://sourceware.org/bugzilla/show_bug.cgi?id=17531

--- Comment #92 from Nick Clifton nickc at redhat dot com ---
Hi Alexander,

 Problems with `readelf -agteAruhlsSdIncVWw --dyn-syms -D` (32-bit)
 Files: 2
 Errors:
   2 *** Segmentation fault

Fixed.

Cheers
  Nick

-- 
You are receiving this mail because:
You are on the CC list for the bug.

___
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils

[Bug binutils/17531] readelf crashes on fuzzed samples

2015-02-13 Thread cvs-commit at gcc dot gnu.org 
https://sourceware.org/bugzilla/show_bug.cgi?id=17531

--- Comment #91 from cvs-commit at gcc dot gnu.org cvs-commit at gcc dot 
gnu.org ---
The master branch has been updated by Nick Clifton ni...@sourceware.org:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=ffc0f143c74a7d49f6d1ae3f835e404ef4e56772

commit ffc0f143c74a7d49f6d1ae3f835e404ef4e56772
Author: Nick Clifton ni...@redhat.com
Date:   Fri Feb 13 14:17:18 2015 +

Fixes for memory access violations triggered by running readelf on fuzzed
binaries.

PR binutils/17531
* dwarf.c (display_debug_aranges): Add check for an excessive
ar_length value.
(process_cu_tu_index): Check for a row * columns sum being too
large.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

___
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils

[Bug binutils/17531] readelf crashes on fuzzed samples

2015-02-13 Thread cherepan at mccme dot ru 
https://sourceware.org/bugzilla/show_bug.cgi?id=17531

--- Comment #93 from Alexander Cherepanov cherepan at mccme dot ru ---
Created attachment 8127
  -- https://sourceware.org/bugzilla/attachment.cgi?id=8127action=edit
Problems with `readelf -agteAruhlsSdIncVWw --dyn-syms -D` (32-bit)

valgrind

Files: 1
Errors:
  5 Invalid read of size ...

-- 
You are receiving this mail because:
You are on the CC list for the bug.

___
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils

[Bug binutils/17531] readelf crashes on fuzzed samples

2015-02-11 Thread cvs-commit at gcc dot gnu.org 
https://sourceware.org/bugzilla/show_bug.cgi?id=17531

--- Comment #88 from cvs-commit at gcc dot gnu.org cvs-commit at gcc dot 
gnu.org ---
The master branch has been updated by Nick Clifton ni...@sourceware.org:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=362beea4b400bcd5aca3bb1215a77e9e749b07fe

commit 362beea4b400bcd5aca3bb1215a77e9e749b07fe
Author: Nick Clifton ni...@redhat.com
Date:   Wed Feb 11 13:05:04 2015 +

Fixes for invalid memory accesses triggered by running readelf on fuzzed
binaries.

PR binutils/17531
* dwarf.c (display_debug_pubnames_worker): Work around compiler
bug checking address ranges.
(display_debug_frames): Likewise.
(display_gdb_index): Likewise.
(process_cu_tu_index): Add range check on the ncols value.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

___
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils

[Bug binutils/17531] readelf crashes on fuzzed samples

2015-02-11 Thread nickc at redhat dot com 
https://sourceware.org/bugzilla/show_bug.cgi?id=17531

--- Comment #89 from Nick Clifton nickc at redhat dot com ---
Hi Alexander,

 Problems with `readelf -agteAruhlsSdIncVWw --dyn-syms -D` (32-bit)
 Errors:
   1 Invalid read of size ...
   1 Process terminating with default action of signal 11 (SIGSEGV)

Fixed.

Cheers
  Nick

-- 
You are receiving this mail because:
You are on the CC list for the bug.

___
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils

[Bug binutils/17531] readelf crashes on fuzzed samples

2015-02-10 Thread cvs-commit at gcc dot gnu.org 
https://sourceware.org/bugzilla/show_bug.cgi?id=17531

--- Comment #83 from cvs-commit at gcc dot gnu.org cvs-commit at gcc dot 
gnu.org ---
The master branch has been updated by Nick Clifton ni...@sourceware.org:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=03a91817f163986f10cb843f58e2f2cd9186e4f0

commit 03a91817f163986f10cb843f58e2f2cd9186e4f0
Author: Nick Clifton ni...@redhat.com
Date:   Tue Feb 10 17:13:31 2015 +

Fixes for memory access violations triggered by running readelf on fuzzed
binaries.

PR binutils/17531
* dwarf.c (process_debug_info): Zero the debug information array
since correct initialisation cannot be relied upon.
(process_cu_tu_index): Improve range checks.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

___
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils

[Bug binutils/17531] readelf crashes on fuzzed samples

2015-02-10 Thread nickc at redhat dot com 
https://sourceware.org/bugzilla/show_bug.cgi?id=17531

--- Comment #86 from Nick Clifton nickc at redhat dot com ---
Hi Alexander,

 Problems with `readelf -agteAruhlsSdIncVWw --dyn-syms -D` (32-bit) -- ubsan

 This is an experimental report. Attached samples expose undefined behavior.
 The errors are collected with binutils built with gcc-4.9
 -fsanitize=undefined (exact configure is in configure-ubsan.txt).
 
 It it's useful I'll integrate it into the usual reports. It it's not useful
 feel free to ignore it.

I do find it useful, so please do integrate it into your reports.

 Errors:
   1 ../../../source/binutils/dwarf.c:2771:3: runtime error: variable
 length array bound evaluates to non-positive value ...
   1 ../../../source/binutils/dwarf.c:279:45: runtime error: shift
 exponent ... is too large for 64-bit type 'long long unsigned int'
   1 ../../../source/binutils/dwarf.c:3781:4: runtime error: variable
 length array bound evaluates to non-positive value ...
   1 ../../../source/binutils/dwarf.c:451:7: runtime error: variable
 length array bound evaluates to non-positive value ...
   1 ../../../source/binutils/dwarf.c:5884:6: runtime error: variable
 length array bound evaluates to non-positive value ...
   1 ../../../source/binutils/dwarf.c:5892:4: runtime error: variable
 length array bound evaluates to non-positive value ...
   1 ../../../source/binutils/dwarf.c:6431:3: runtime error: signed
 integer overflow: ... * ... cannot be represented in type 'int'
   1 ../../../source/binutils/dwarf.c:6437:29: runtime error: signed
 integer overflow: ... * ... cannot be represented in type 'int'
   1 ../../../source/binutils/dwarf.c:6447:3: runtime error: signed
 integer overflow: ... * ... cannot be represented in type 'int'
   1 ../../../source/binutils/dwarf.c:6453:29: runtime error: signed
 integer overflow: ... * ... cannot be represented in type 'int'
   1 ../../../source/binutils/dwarf.c:6460:40: runtime error: signed
 integer overflow: ... * ... cannot be represented in type 'int'
   1 ../../../source/binutils/dwarf.c:6469:40: runtime error: signed
 integer overflow: ... * ... cannot be represented in type 'int'
   1 ../../../source/binutils/readelf.c:15068:46: runtime error: signed
 integer overflow: ... - ... cannot be represented in type 'int'
   1 ../../../source/binutils/readelf.c:1615:7: runtime error: negation
 of ... cannot be represented in type 'long long int'; cast to an unsigned
 type to negate this value to itself
   1 ../../../source/binutils/readelf.c:1627:6: runtime error: negation
 of ... cannot be represented in type 'long long int'; cast to an unsigned
 type to negate this value to itself

These should all be fixed now.

Cheers
  Nick

-- 
You are receiving this mail because:
You are on the CC list for the bug.

___
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils

[Bug binutils/17531] readelf crashes on fuzzed samples

2015-02-10 Thread cvs-commit at gcc dot gnu.org 
https://sourceware.org/bugzilla/show_bug.cgi?id=17531

--- Comment #85 from cvs-commit at gcc dot gnu.org cvs-commit at gcc dot 
gnu.org ---
The master branch has been updated by Nick Clifton ni...@sourceware.org:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=834f871cdc6e5d9f5bda9ce607fd3c47f41a2ade

commit 834f871cdc6e5d9f5bda9ce607fd3c47f41a2ade
Author: Nick Clifton ni...@redhat.com
Date:   Tue Feb 10 17:53:53 2015 +

Fix memory access violations discovered by running readelf compiled with
undefined memory access sanitization on fuzzed binaries.

PR binutils/17531
* dwarf.c (display_debug_pubnames_worker): Use dwarf_vma type for
offset.
* readelf.c (dump_relocations): Handle printing offsets which are
MIN_INT.
(process_corefile_note_segment): Add range check of the namesz
field.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

___
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils

[Bug binutils/17531] readelf crashes on fuzzed samples

2015-02-10 Thread cherepan at mccme dot ru 
https://sourceware.org/bugzilla/show_bug.cgi?id=17531

--- Comment #87 from Alexander Cherepanov cherepan at mccme dot ru ---
Created attachment 8119
  -- https://sourceware.org/bugzilla/attachment.cgi?id=8119action=edit
Problems with `readelf -agteAruhlsSdIncVWw --dyn-syms -D` (32-bit)

valgrind

Files: 1
Errors:
  1 Invalid read of size ...
  1 Process terminating with default action of signal 11 (SIGSEGV)

--

catchsegv

Files: 2
Errors:
  2 *** Segmentation fault

-- 
You are receiving this mail because:
You are on the CC list for the bug.

___
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils

[Bug binutils/17531] readelf crashes on fuzzed samples

2015-02-08 Thread cherepan at mccme dot ru 
https://sourceware.org/bugzilla/show_bug.cgi?id=17531

--- Comment #82 from Alexander Cherepanov cherepan at mccme dot ru ---
Created attachment 8108
  -- https://sourceware.org/bugzilla/attachment.cgi?id=8108action=edit
Problems with `readelf -agteAruhlsSdIncVWw --dyn-syms -D` (32-bit) -- ubsan

This is an experimental report. Attached samples expose undefined behavior. The
errors are collected with binutils built with gcc-4.9 -fsanitize=undefined
(exact configure is in configure-ubsan.txt).

It it's useful I'll integrate it into the usual reports. It it's not useful
feel free to ignore it.

--

ubsan

Files: 12
Errors:
  1 ../../../source/binutils/dwarf.c:2771:3: runtime error: variable length
array bound evaluates to non-positive value ...
  1 ../../../source/binutils/dwarf.c:279:45: runtime error: shift exponent
... is too large for 64-bit type 'long long unsigned int'
  1 ../../../source/binutils/dwarf.c:3781:4: runtime error: variable length
array bound evaluates to non-positive value ...
  1 ../../../source/binutils/dwarf.c:451:7: runtime error: variable length
array bound evaluates to non-positive value ...
  1 ../../../source/binutils/dwarf.c:5884:6: runtime error: variable length
array bound evaluates to non-positive value ...
  1 ../../../source/binutils/dwarf.c:5892:4: runtime error: variable length
array bound evaluates to non-positive value ...
  1 ../../../source/binutils/dwarf.c:6431:3: runtime error: signed integer
overflow: ... * ... cannot be represented in type 'int'
  1 ../../../source/binutils/dwarf.c:6437:29: runtime error: signed integer
overflow: ... * ... cannot be represented in type 'int'
  1 ../../../source/binutils/dwarf.c:6447:3: runtime error: signed integer
overflow: ... * ... cannot be represented in type 'int'
  1 ../../../source/binutils/dwarf.c:6453:29: runtime error: signed integer
overflow: ... * ... cannot be represented in type 'int'
  1 ../../../source/binutils/dwarf.c:6460:40: runtime error: signed integer
overflow: ... * ... cannot be represented in type 'int'
  1 ../../../source/binutils/dwarf.c:6469:40: runtime error: signed integer
overflow: ... * ... cannot be represented in type 'int'
  1 ../../../source/binutils/readelf.c:15068:46: runtime error: signed
integer overflow: ... - ... cannot be represented in type 'int'
  1 ../../../source/binutils/readelf.c:1615:7: runtime error: negation of
... cannot be represented in type 'long long int'; cast to an unsigned type to
negate this value to itself
  1 ../../../source/binutils/readelf.c:1627:6: runtime error: negation of
... cannot be represented in type 'long long int'; cast to an unsigned type to
negate this value to itself

-- 
You are receiving this mail because:
You are on the CC list for the bug.

___
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils

[Bug binutils/17531] readelf crashes on fuzzed samples

2015-02-06 Thread cvs-commit at gcc dot gnu.org 
https://sourceware.org/bugzilla/show_bug.cgi?id=17531

--- Comment #78 from cvs-commit at gcc dot gnu.org cvs-commit at gcc dot 
gnu.org ---
The master branch has been updated by Nick Clifton ni...@sourceware.org:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=8490fb409a37072389da7cafc3a92255e9a34c98

commit 8490fb409a37072389da7cafc3a92255e9a34c98
Author: Nick Clifton ni...@redhat.com
Date:   Fri Feb 6 12:19:20 2015 +

Fix memory access violations triggered by processing fuzzed binaries with a
32-bit version of readelf, compiled on a 64-bit host.

PR binutils/17531
* dwarf.c (xcmalloc): Fail if the arguments are too big.
(xcrealloc): Likewise.
(xcalloc2): Likewise.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

___
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils

[Bug binutils/17531] readelf crashes on fuzzed samples

2015-02-06 Thread nickc at redhat dot com 
https://sourceware.org/bugzilla/show_bug.cgi?id=17531

--- Comment #80 from Nick Clifton nickc at redhat dot com ---
Hi Alexander,

 Problems with `readelf -agteAruhlsSdIncVWw --dyn-syms -D` (32-bit)
 Errors:
   8 Conditional jump or move depends on uninitialised value(s)
   1 Invalid write of size ...
   1 Process terminating with default action of signal 11 (SIGSEGV)
   2 Use of uninitialised value of size ...

These should all be fixed now.

Cheers
  Nick

-- 
You are receiving this mail because:
You are on the CC list for the bug.

___
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils

[Bug binutils/17531] readelf crashes on fuzzed samples

2015-02-04 Thread cherepan at mccme dot ru 
https://sourceware.org/bugzilla/show_bug.cgi?id=17531

--- Comment #76 from Alexander Cherepanov cherepan at mccme dot ru ---
Created attachment 8102
  -- https://sourceware.org/bugzilla/attachment.cgi?id=8102action=edit
Problems with `readelf -agteAruhlsSdIncVWw --dyn-syms -D` (32-bit)

Files: 2
Errors:
  8 Conditional jump or move depends on uninitialised value(s)
  1 Invalid write of size ...
  1 Process terminating with default action of signal 11 (SIGSEGV)
  2 Use of uninitialised value of size ...

-- 
You are receiving this mail because:
You are on the CC list for the bug.

___
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils

[Bug binutils/17531] readelf crashes on fuzzed samples

2015-02-04 Thread cvs-commit at gcc dot gnu.org 
https://sourceware.org/bugzilla/show_bug.cgi?id=17531

--- Comment #74 from cvs-commit at gcc dot gnu.org cvs-commit at gcc dot 
gnu.org ---
The master branch has been updated by Nick Clifton ni...@sourceware.org:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=f3853b34448594744f284fa96f26e41fd533a50d

commit f3853b34448594744f284fa96f26e41fd533a50d
Author: Nick Clifton ni...@redhat.com
Date:   Wed Feb 4 10:40:05 2015 +

More fixes for memory access violations triggered by running readelf on
fuzzed binaries.

PR binutils/17531
* dwarf.c (read_and_display_attr_value): Test for a block length
being so long that it wraps around to before the start of the block.
(process_debug_info): Test for section_begin wrapping around to
before the start of the section.
(display_gdb_index): Test for num_cus being so large that the end
address wraps around to before the start of the section.
(process_cu_tu_index): Test for j being so large that the section
index pool wraps around to before the start of the section.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

___
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils

[Bug binutils/17531] readelf crashes on fuzzed samples

2015-02-04 Thread nickc at redhat dot com 
https://sourceware.org/bugzilla/show_bug.cgi?id=17531

--- Comment #75 from Nick Clifton nickc at redhat dot com ---
Hi Alexander,

 Not sure if it supposed to be fixed already but the following samples still
 crash for me (without valgrind):
 
 0239616b
 0d903ffb
 206b89bd
 5b5f0592
 705e010d
 731b937f
 8a415f90
 908c0847
 e6b58147

Fascinating.  Valgrind was actually preventing the seg-faults from occurring. 
I would never have suspected that.  Anyway, I have checked in another patch and
these tests should all pass now, bit with and without valgrind.

Cheers
  Nick

-- 
You are receiving this mail because:
You are on the CC list for the bug.

___
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils

[Bug binutils/17531] readelf crashes on fuzzed samples

2015-02-03 Thread cvs-commit at gcc dot gnu.org 
https://sourceware.org/bugzilla/show_bug.cgi?id=17531

--- Comment #71 from cvs-commit at gcc dot gnu.org cvs-commit at gcc dot 
gnu.org ---
The master branch has been updated by Nick Clifton ni...@sourceware.org:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=570286220e28e606e199b37a06cd199cadb592ba

commit 570286220e28e606e199b37a06cd199cadb592ba
Author: Nick Clifton ni...@redhat.com
Date:   Tue Feb 3 20:42:36 2015 +

Fix memory access violations triggered by running readelf on fuzzed
binaries.

PR binutils/17531
* dwarf.c (process_debug_info): Add range check.
(display_debug_pubnames_worker): Likewise.
(display_gdb_index): Fix range check.
(process_cu_tu_index): Add range check.
* readelf.c (get_data): Change parameter types from size_t to
bfd_size_type.  Add checks for loss of accuracy when casting from
bfd_size_type to size_t.
(get_dynamic_data): Likewise.
(process_section_groups): Limit number of error messages.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

___
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils

[Bug binutils/17531] readelf crashes on fuzzed samples

2015-02-02 Thread cherepan at mccme dot ru 
https://sourceware.org/bugzilla/show_bug.cgi?id=17531

--- Comment #70 from Alexander Cherepanov cherepan at mccme dot ru ---
Created attachment 8095
  -- https://sourceware.org/bugzilla/attachment.cgi?id=8095action=edit
Problems with `readelf -agteAruhlsSdIncVWw --dyn-syms -D` (32-bit)

More problems found with 32-bit binutils: built with -m32 on 64-bit host.

--

valgrind

Files: 39
Errors:
 39 Conditional jump or move depends on uninitialised value(s)
105 Invalid read of size ...
  1 Invalid write of size ...
 24 Process terminating with default action of signal 11 (SIGSEGV)
  7 Use of uninitialised value of size ...

--

gdb

Files: 4
Errors:
  4 No assertion info in gdb backtrace.

--

catchsegv

Files: 11
Errors:
 11 *** Segmentation fault

-- 
You are receiving this mail because:
You are on the CC list for the bug.

___
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils

[Bug binutils/17531] readelf crashes on fuzzed samples

2015-01-12 Thread joseph at codesourcery dot com 
https://sourceware.org/bugzilla/show_bug.cgi?id=17531

--- Comment #69 from joseph at codesourcery dot com joseph at codesourcery dot 
com ---
On Mon, 12 Jan 2015, cvs-commit at gcc dot gnu.org wrote:

 (xcalloc2): New function.  Like xcalloc, but checks for overflow.
 * dwarf.h (xcalloc2): Prototype.

This should not be needed.  xcalloc calls calloc, which should check for 
overflow itself.  I see libiberty has a broken version of calloc, but 
since calloc is a C89 function no modern system should be using 
libiberty's version.  If we wish to allow for systems with broken calloc, 
libiberty's configure should detect such systems (based on a blacklist of 
broken systems) and substitute a working calloc.

(On the other hand, all the allocation macros in libiberty.h that do 
multiplications do need replacing by versions that check for overflow - 
that is, the existing macros need to be made to check for overflow, rather 
than having separate checking and non-checking versions.)

-- 
You are receiving this mail because:
You are on the CC list for the bug.

___
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils

[Bug binutils/17531] readelf crashes on fuzzed samples

2015-01-12 Thread cvs-commit at gcc dot gnu.org 
https://sourceware.org/bugzilla/show_bug.cgi?id=17531

--- Comment #65 from cvs-commit at gcc dot gnu.org cvs-commit at gcc dot 
gnu.org ---
The master branch has been updated by Nick Clifton ni...@sourceware.org:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=72c61a0d1ef445f99305859b66450da60ec6e0cb

commit 72c61a0d1ef445f99305859b66450da60ec6e0cb
Author: Nick Clifton ni...@redhat.com
Date:   Mon Jan 12 16:08:41 2015 +

More fixes for memory access errors when running readelf on fuzzed
binaries.

PR binutils/17531
* dwarf.c (process_debug_info): Check for abbrev_base being larger
than the section size.
(process_cu_tu_index): Use xcalloc2 to allocate the CU and TU
arrays.
(xcalloc2): New function.  Like xcalloc, but checks for overflow.
* dwarf.h (xcalloc2): Prototype.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

___
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils

[Bug binutils/17531] readelf crashes on fuzzed samples

2015-01-12 Thread nickc at redhat dot com 
https://sourceware.org/bugzilla/show_bug.cgi?id=17531

--- Comment #66 from Nick Clifton nickc at redhat dot com ---
Hi Alexander,

 Problems with `readelf -agteAruhlsSdIncVWw --dyn-syms -D`
 Errors:
   4 Conditional jump or move depends on uninitialised value(s)
   1 Invalid read of size ...
   1 Process terminating with default action of signal 11 (SIGSEGV)
   1 Use of uninitialised value of size ...

Fixed. :-)

Cheers
  Nick

-- 
You are receiving this mail because:
You are on the CC list for the bug.

___
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils

[Bug binutils/17531] readelf crashes on fuzzed samples

2015-01-12 Thread cvs-commit at gcc dot gnu.org 
https://sourceware.org/bugzilla/show_bug.cgi?id=17531

--- Comment #67 from cvs-commit at gcc dot gnu.org cvs-commit at gcc dot 
gnu.org ---
The master branch has been updated by Nick Clifton ni...@sourceware.org:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=1306a7421c764d1f5e2a08afdb9b5818662c9e9c

commit 1306a7421c764d1f5e2a08afdb9b5818662c9e9c
Author: Nick Clifton ni...@redhat.com
Date:   Mon Jan 12 17:28:55 2015 +

Another fix for memory access errors trigegred by running readelf on a
corrupt binary.

PR binutils/17531
* dwarf.c (display_debug_addr): Use xcalloc to allocate the
debug_addr_info
array.  Check for an address_base that is too large.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

___
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils

[Bug binutils/17531] readelf crashes on fuzzed samples

2015-01-12 Thread nickc at redhat dot com 
https://sourceware.org/bugzilla/show_bug.cgi?id=17531

--- Comment #68 from Nick Clifton nickc at redhat dot com ---
Hi Alexander,

 Problems with `readelf -agteAruhlsSdIncVWw --dyn-syms -D`
 Errors:
   6 Conditional jump or move depends on uninitialised value(s)
   8 Invalid read of size ...
   1 Process terminating with default action of signal 11 (SIGSEGV)
   1 Use of uninitialised value of size ...

Also fixed.

Cheers
  Nick

-- 
You are receiving this mail because:
You are on the CC list for the bug.

___
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils

[Bug binutils/17531] readelf crashes on fuzzed samples

2015-01-11 Thread cherepan at mccme dot ru 
https://sourceware.org/bugzilla/show_bug.cgi?id=17531

--- Comment #63 from Alexander Cherepanov cherepan at mccme dot ru ---
Created attachment 8060
  -- https://sourceware.org/bugzilla/attachment.cgi?id=8060action=edit
Problems with `readelf -agteAruhlsSdIncVWw --dyn-syms -D`

Files: 1
Errors:
  4 Conditional jump or move depends on uninitialised value(s)
  1 Invalid read of size ...
  1 Process terminating with default action of signal 11 (SIGSEGV)
  1 Use of uninitialised value of size ...

-- 
You are receiving this mail because:
You are on the CC list for the bug.

___
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils

[Bug binutils/17531] readelf crashes on fuzzed samples

2015-01-11 Thread cherepan at mccme dot ru 
https://sourceware.org/bugzilla/show_bug.cgi?id=17531

--- Comment #64 from Alexander Cherepanov cherepan at mccme dot ru ---
Created attachment 8061
  -- https://sourceware.org/bugzilla/attachment.cgi?id=8061action=edit
Problems with `readelf -agteAruhlsSdIncVWw --dyn-syms -D`

Files: 1
Errors:
  6 Conditional jump or move depends on uninitialised value(s)
  8 Invalid read of size ...
  1 Process terminating with default action of signal 11 (SIGSEGV)
  1 Use of uninitialised value of size ...

-- 
You are receiving this mail because:
You are on the CC list for the bug.

___
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils

[Bug binutils/17531] readelf crashes on fuzzed samples

2015-01-01 Thread cherepan at mccme dot ru 
https://sourceware.org/bugzilla/show_bug.cgi?id=17531

--- Comment #59 from Alexander Cherepanov cherepan at mccme dot ru ---
Created attachment 8037
  -- https://sourceware.org/bugzilla/attachment.cgi?id=8037action=edit
More problems with `readelf -agteAruhlsSdIncVWw --dyn-syms -D`

valgrind

Files: 5
Errors:
 12 Invalid read of size ...
  5 Invalid write of size ...
  4 Process terminating with default action of signal 11 (SIGSEGV)

--

gdb

Files: 2
Errors:
  1 No assertion info in gdb backtrace.
  1 readelf.c:14056: process_mips_specific: Assertion `global_end =
local_end' failed.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

___
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils

[Bug binutils/17531] readelf crashes on fuzzed samples

2014-12-23 Thread cherepan at mccme dot ru 
https://sourceware.org/bugzilla/show_bug.cgi?id=17531

Alexander Cherepanov cherepan at mccme dot ru changed:

   What|Removed |Added

Summary|readelf -a crashes on   |readelf crashes on fuzzed
   |fuzzed samples  |samples

-- 
You are receiving this mail because:
You are on the CC list for the bug.

___
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils